Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Window Event (Multiline) nullQueue Question

khyoung7410
Communicator
‎08-08-2019 10:57 PM

Hi
A nullQueue procedure is need in multiline data, such as in a Windows security log.
The heavy forwarder is trying to nullQueueue logs sent by a large number of universal forwarders.
If it is a name other than ComputerName=PC01 and ComputerName=PC02, I would like to send EventCode=5145 to nullQueueue.
But I have to get another EventCode.
Is there a good way?

-- example data--
08/09/2019 12:21:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=info
ComputerName=PC01

0 Karma
Reply

jawaharas
Motivator
‎08-08-2019 11:21 PM

Provided the windows events are properly parsed for multiline, you can keep specific events and discard the rest as below.

1) Edit props.conf and add the following (Modify sourcetype accordingly):

[winSecurityLog]
TRANSFORMS-set= setnull,setparsing

2) Edit transforms.conf and add the following:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = PC0[1-2]
DEST_KEY = queue
FORMAT = indexQueue

Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Routeandfilterdatad

0 Karma
Reply

khyoung7410
Communicator
‎08-09-2019 01:42 AM

It doesn't fit the above conditions.

0 Karma
Reply

jawaharas
Motivator
‎08-12-2019 09:13 PM

Is this your condition?

if (ComputerName !=PC01 AND ComputerName!=PC02 AND EventCode=5145)
then
Send_To_NullQueue
else
Send_to_IndexQueue

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...